Cybersecurity Investigation

C
Written By Threat NG Staff

Cybersecurity Investigation examines digital events and evidence to identify, analyze, and understand security incidents or potential threats within a computer system or network. It's a systematic approach to uncover the "who, what, when, where, and how" of a cybersecurity event.

Here's a breakdown of the key aspects:

  • Purpose: The primary purpose of a cybersecurity investigation is to:

    • Determine the root cause of a security incident (e.g., malware infection, unauthorized access).

    • Identify the scope and impact of the incident (e.g., data breached, systems compromised).

    • Gather evidence for legal or disciplinary action.

    • Improve security measures to prevent future incidents.

  • Scope: Cybersecurity investigations can cover a wide range of incidents, including:

    • Data breaches

    • Malware infections

    • Denial-of-service attacks

    • Insider threats

    • Unauthorized access

    • Phishing attacks

  • Process: A typical cybersecurity investigation involves several key steps:

    • Identification: Detecting a potential security incident.

    • Preservation: Securing and preserving digital evidence to maintain its integrity.

    • Collection: Gathering relevant data from various sources (e.g., logs, network traffic, hard drives).

    • Examination: Analyzing the collected data to reconstruct events and identify the cause of the incident.

    • Analysis: Interpreting the findings and drawing conclusions.

    • Reporting: Documenting the investigation process and findings.

  • Evidence: Cybersecurity investigations rely on various types of digital evidence:

    • Log files

    • Network traffic data

    • Hard drive images

    • Memory dumps

    • Email records

  • Tools and Techniques: Investigators use specialized tools and techniques, such as:

    • Forensic software

    • Network analysis tools

    • Log analysis tools

    • Malware analysis

ThreatNG's capabilities can contribute valuable information during various phases of a cybersecurity investigation, particularly concerning the external attack surface and related risks.

1. External Discovery

  • ThreatNG's external discovery helps define the scope of a cybersecurity incident by identifying all external-facing assets.

  • ThreatNG is "able to perform purely external unauthenticated discovery using no connectors". This capability is crucial for identifying all potential entry points and affected systems from an external perspective.

  • Example: ThreatNG discovers all subdomains, web applications, cloud services, and exposed systems, providing a complete inventory of the external attack surface that might be involved in an incident.

  • Complementary Solutions:

    • Endpoint Detection and Response (EDR) Systems: EDR systems provide detailed information about activity on individual devices, which can be combined with ThreatNG's external view to understand the full scope of an incident.

    • Network Traffic Analysis (NTA) Tools: NTA tools can provide insights into network traffic patterns, which can help identify malicious activity and data exfiltration related to an incident.

2. External Assessment

  • ThreatNG's external assessments provide valuable information about potential vulnerabilities and weaknesses that might have been exploited during a cybersecurity incident.

  • ThreatNG can perform all the following assessment ratings:

    • Web Application Hijack Susceptibility: Assesses vulnerabilities in web applications that could have been the entry point for an attack.

    • Subdomain Takeover Susceptibility: This section evaluates the risk of subdomain takeovers, which could lead to the unauthorized control of web assets.

    • Code Secret Exposure: This involves discovering exposed code repositories and sensitive data within them, which could be a source of compromised credentials.

  • Examples:

    • The "Web Application Hijack Susceptibility" assessment can help investigators identify specific web application vulnerabilities that attackers might have used to gain initial access.

    • The "Code Secret Exposure" assessment can reveal if credentials or API keys were exposed in code repositories, which could explain how attackers gained unauthorized access.

  • Complementary Solutions:

    • Vulnerability Scanners: These tools can provide more detailed vulnerability information (e.g., CVEs) to help investigators understand the severity and exploitability of vulnerabilities identified by ThreatNG.

    • Penetration Testing Tools: Penetration testing results can validate ThreatNG's assessment findings and provide real-world context for how vulnerabilities could be exploited.

3. Reporting

  • ThreatNG's reporting capabilities can aid in documenting and communicating findings during a cybersecurity investigation.

  • It offers various reporting formats, including technical reports that provide detailed information about vulnerabilities and security risks.

  • Example: ThreatNG's reports on "Data Leak Susceptibility" and "Mobile App Exposure" can provide evidence of potential data exfiltration vectors or compromised data within mobile apps.

  • Complementary Solutions:

    • Incident Response Platforms: These platforms can use ThreatNG's data to track the investigation, manage communication, and coordinate response activities.

    • Forensic Reporting Tools: Forensic tools can provide detailed reports on digital evidence, combined with ThreatNG's findings to create a comprehensive picture of the incident.

4. Continuous Monitoring

  • ThreatNG's continuous monitoring can help detect ongoing incidents or identify changes in the external attack surface that might be relevant to an investigation.

  • ThreatNG provides "Continuous Monitoring of external attack surface, digital risk, and security ratings of all organizations".

  • Example: ThreatNG's continuous monitoring can detect new or changed external assets that might be involved in an incident, such as a newly exposed server or a compromised web application.

  • Complementary Solutions:

    • Intrusion Detection/Prevention Systems (IDS/IPS): These systems can monitor network traffic for malicious activity that might indicate an ongoing incident in real time.

    • Security Orchestration, Automation, and Response (SOAR) Platforms: SOAR platforms can correlate ThreatNG's monitoring data with other security alerts to identify and respond to potential incidents.

5. Investigation Modules

  • ThreatNG's investigation modules provide detailed information and search capabilities to aid cybersecurity investigations.

  • These modules include:

    • Domain Intelligence: Provides information about domains, subdomains, and DNS records, which can be relevant to investigating phishing or other domain-based attacks.

    • Sensitive Code Exposure: This helps investigate whether exposed code repositories were a source of compromised credentials or other sensitive information.

    • Mobile Application Discovery: Aids in investigating if mobile apps were involved in an incident, by discovering mobile apps and the presence of credentials.

  • Examples:

    • The "Domain Intelligence" module can help investigate if a cybersecurity incident involved phishing attacks by providing information about suspicious or lookalike domains.

    • The "Sensitive Code Exposure" module can help determine if exposed credentials in code repositories were used to gain unauthorized access.

  • Complementary Solutions:

    • Digital Forensics Tools: These tools provide in-depth analysis of digital devices to recover evidence and understand attacker activity.

    • Log Analysis Tools: These tools can help analyze logs from various systems to identify the timeline of events and the extent of the incident.

6. Intelligence Repositories

  • ThreatNG's intelligence repositories provide valuable context and threat intelligence that can be used during a cybersecurity investigation.

  • These repositories ("DarCache") include information on:

    • Dark Web: Provides intelligence on dark web activity, which can help identify if stolen data is being sold or discussed online.

    • Compromised Credentials: Contains information on compromised credentials, which can help determine if stolen credentials were used in the incident.

    • Ransomware Groups and Activities: Tracking Over 70 Ransomware Gangs (DarCache Ransomware)

  • Example: The "DarCache Dark Web" repository can help investigators determine if compromised credentials related to the organization are being traded or sold on the dark web, which could result from a data breach.

  • Complementary Solutions:

    • Threat Intelligence Platforms (TIPs): Integrating with TIPs can provide a broader and more diverse set of threat intelligence, enriching the investigation with information about threat actors, campaigns, and tactics.

    • Security Analytics Platforms: These platforms can correlate ThreatNG's findings with other security data to provide a more comprehensive view of the incident.

ThreatNG offers a range of capabilities that can be valuable during Cybersecurity Investigations. By providing information about the external attack surface, vulnerabilities, and threat intelligence, ThreatNG can help organizations understand how an incident might have occurred, what data might be at risk, and the potential impact of the incident. The potential to work with complementary solutions further enhances the effectiveness of the investigation process.

Threat NG Staff
Previous

Security Posture Analysis
Next

Security Analytics